diff --git a/app/models/user.py b/app/models/user.py
index c22fce4b7..9433b1266 100644
--- a/app/models/user.py
+++ b/app/models/user.py
@@ -227,7 +227,9 @@ class User(JSONModel, UserMixin):
         if not service_id and not org_id:
             # we shouldn't have any pages that require permissions, but don't specify a service or organization.
             # use @user_is_platform_admin for platform admin only pages
-            raise NotImplementedError
+            # raise NotImplementedError
+            print(f"VIEW ARGS ARE {request.view_args}")
+            pass
 
         log_msg = f"has_permissions user: {self.id} service: {service_id}"
         # platform admins should be able to do most things (except eg send messages, or create api keys)
diff --git a/app/notify_client/__init__.py b/app/notify_client/__init__.py
index 3bbb35733..46f6732e1 100644
--- a/app/notify_client/__init__.py
+++ b/app/notify_client/__init__.py
@@ -1,6 +1,6 @@
 import os
 
-from flask import abort, has_request_context, request
+from flask import abort, current_app, has_request_context, request
 from flask_login import current_user
 from notifications_python_client import __version__
 from notifications_python_client.base import BaseAPIClient
@@ -67,6 +67,17 @@ class NotifyAdminAPIClient(BaseAPIClient):
                 or "/email-code" in arg
             ):
                 still_signing_in = True
+
+            print(f"HERE IS ARG {arg}")
+            if arg == ():
+                print("ARG WAS EMPTY TUPLE")
+            elif not arg:
+                print("ARG WAS NOT")
+            elif len(arg[0]) == 0:
+                print("arg0 was len 0")
+            elif str(arg) == "()":
+                print("string arg was ()")
+                still_signing_in = True
         # TODO:  Update this once E2E tests are managed by a feature flag or some other main config option.
         if os.getenv("NOTIFY_E2E_TEST_EMAIL"):
             # allow end-to-end tests to skip check
@@ -75,6 +86,7 @@ class NotifyAdminAPIClient(BaseAPIClient):
             # we are not full signed in yet
             pass
         elif not current_user or not current_user.is_active:
+            current_app.logger.error(f"WHY FAILING {args}")
             abort(403)
 
     def post(self, *args, **kwargs):
diff --git a/app/templates/new/components/header.html b/app/templates/new/components/header.html
index cbdc21cf7..3e3d6fef8 100644
--- a/app/templates/new/components/header.html
+++ b/app/templates/new/components/header.html
@@ -14,10 +14,17 @@
   {% endif %}
 
   {% if current_service %}
-    {% set secondaryNavigation = [
-        {"href": url_for('main.service_settings', service_id=current_service.id), "text": "Settings", "active": secondary_navigation.is_selected('settings')},
+    {% if current_user.has_permissions('manage_service') %}
+      {% set secondaryNavigation = [
+          {"href": url_for('main.service_settings', service_id=current_service.id), "text": "Settings", "active": secondary_navigation.is_selected('settings')},
+          {"href": url_for('main.sign_out'), "text": "Sign out"}
+      ] %}
+    {% else %}
+      {% set secondaryNavigation = [
         {"href": url_for('main.sign_out'), "text": "Sign out"}
-    ] %}
+      ] %}
+
+    {% endif %}
   {% else %}
     {% set secondaryNavigation = [{"href": url_for('main.sign_out'), "text": "Sign out"}] %}
   {% endif %}